How can businesses assess and mitigate the security threat of networked devices such as printers that have operating systems which can continually re-infect networks with malware?
When we conduct a penetration test of a corporate network, we typically find dozens of printers offering management pages without passwords. This means that anyone on the network could not only print to the machine, but also control it, change the print settings and send faxes, writes Peter Wood, member of the ISACA Conference Committee and founder of First Base Technologies. Worse still, some malware can affect unprotected printers, creating a nightmare for network administrators.
In January 2007, Computerworld reported that McCormick and Co. had been hit by the Blaster worm which continued to re-infect the company's network. It turned out that Blaster and some instances of the Sasser worm were trying to spread from infected networked printers. There has since been little evidence of printer-based attacks spreading across large networks, leaving printer security neglected in most organisations.
Security researchers have also demonstrated how to bypass authentication, inject commands at the root level and create shell code to take over printers. This presents the opportunity for all sorts of attacks, including intercepting passwords, grabbing print jobs and even to bridge from low-security areas to high-security areas. All it takes is any remote code-execution vulnerability, such as a buffer overflow or cross-site scripting weakness, to spread a bot to the printer or use the printer as a launch pad for other attacks.
As PCs and servers become more secure through tougher security standards and best practices, attackers are likely to turn to unprotected printers. Since network printers often have embedded Windows operating systems, they interact with the network just like any other Windows-based system.
To minimise the risk, organisations need to change default passwords and enable encrypted management interfaces rather than plain text web or telnet connections. They should also disable unused services on printers, which typically come with everything enabled out of the box.
This was first published in October 2009